Keep raw PSK when set via mbedtls_ssl_conf_psk() and feed as input_bytes

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
This commit is contained in:
Neil Armstrong 2022-05-05 11:40:35 +02:00
parent 80f6f32495
commit 8ecd66884f
4 changed files with 13 additions and 48 deletions

View file

@ -1427,8 +1427,7 @@ struct mbedtls_ssl_config
* If either no PSK or a raw PSK have been * If either no PSK or a raw PSK have been
* configured, this has value \c 0. * configured, this has value \c 0.
*/ */
uint8_t MBEDTLS_PRIVATE(psk_opaque_is_internal); #endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should unsigned char *MBEDTLS_PRIVATE(psk); /*!< The raw pre-shared key. This field should
* only be set via mbedtls_ssl_conf_psk(). * only be set via mbedtls_ssl_conf_psk().
* If either no PSK or an opaque PSK * If either no PSK or an opaque PSK
@ -1438,7 +1437,6 @@ struct mbedtls_ssl_config
* mbedtls_ssl_conf_psk(). * mbedtls_ssl_conf_psk().
* Its value is non-zero if and only if * Its value is non-zero if and only if
* \c psk is not \c NULL. */ * \c psk is not \c NULL. */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *MBEDTLS_PRIVATE(psk_identity); /*!< The PSK identity for PSK negotiation. unsigned char *MBEDTLS_PRIVATE(psk_identity); /*!< The PSK identity for PSK negotiation.
* This field should only be set via * This field should only be set via

View file

@ -1527,10 +1527,9 @@ static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 ); return( 1 );
#else #endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL ) if( conf->psk != NULL )
return( 1 ); return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 ); return( 0 );
} }
@ -1541,16 +1540,11 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
{ {
/* The maintenance of the external PSK key slot is the /* The maintenance of the PSK key slot is the
* user's responsibility. */ * user's responsibility. */
if( conf->psk_opaque_is_internal )
{
psa_destroy_key( conf->psk_opaque );
conf->psk_opaque_is_internal = 0;
}
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
} }
#else #endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL ) if( conf->psk != NULL )
{ {
mbedtls_platform_zeroize( conf->psk, conf->psk_len ); mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@ -1559,7 +1553,6 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
conf->psk = NULL; conf->psk = NULL;
conf->psk_len = 0; conf->psk_len = 0;
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Remove reference to PSK identity, if any. */ /* Remove reference to PSK identity, if any. */
if( conf->psk_identity != NULL ) if( conf->psk_identity != NULL )
@ -1601,11 +1594,6 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
const unsigned char *psk_identity, size_t psk_identity_len ) const unsigned char *psk_identity, size_t psk_identity_len )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_attributes_t key_attributes = psa_key_attributes_init();
psa_status_t status;
mbedtls_svc_key_id_t key;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* We currently only support one PSK, raw or opaque. */ /* We currently only support one PSK, raw or opaque. */
if( ssl_conf_psk_is_configured( conf ) ) if( ssl_conf_psk_is_configured( conf ) )
@ -1619,23 +1607,6 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
if( psk_len > MBEDTLS_PSK_MAX_LEN ) if( psk_len > MBEDTLS_PSK_MAX_LEN )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &key_attributes,
PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256) );
psa_set_key_enrollment_algorithm( &key_attributes,
PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384) );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
status = psa_import_key( &key_attributes, psk, psk_len, &key );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
/* Allow calling psa_destroy_key() on config psk remove/free */
conf->psk_opaque_is_internal = 1;
ret = mbedtls_ssl_conf_psk_opaque( conf, key,
psk_identity, psk_identity_len );
#else
if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ) if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
conf->psk_len = psk_len; conf->psk_len = psk_len;
@ -1645,7 +1616,6 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len ); ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
if( ret != 0 ) if( ret != 0 )
ssl_conf_remove_psk( conf ); ssl_conf_remove_psk( conf );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( ret ); return( ret );
} }
@ -4498,14 +4468,9 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
{ {
if( conf->psk_opaque_is_internal )
{
psa_destroy_key( conf->psk_opaque );
conf->psk_opaque_is_internal = 0;
}
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
} }
#else #endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL ) if( conf->psk != NULL )
{ {
mbedtls_platform_zeroize( conf->psk, conf->psk_len ); mbedtls_platform_zeroize( conf->psk, conf->psk_len );
@ -4513,7 +4478,6 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
conf->psk = NULL; conf->psk = NULL;
conf->psk_len = 0; conf->psk_len = 0;
} }
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk_identity != NULL ) if( conf->psk_identity != NULL )
{ {
@ -4895,6 +4859,7 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation, static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
mbedtls_svc_key_id_t key, mbedtls_svc_key_id_t key,
psa_algorithm_t alg, psa_algorithm_t alg,
const unsigned char* raw_psk, size_t raw_psk_length,
const unsigned char* seed, size_t seed_length, const unsigned char* seed, size_t seed_length,
const unsigned char* label, size_t label_length, const unsigned char* label, size_t label_length,
const unsigned char* other_secret, const unsigned char* other_secret,
@ -4928,7 +4893,7 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de
{ {
status = psa_key_derivation_input_bytes( status = psa_key_derivation_input_bytes(
derivation, PSA_KEY_DERIVATION_INPUT_SECRET, derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
NULL, 0 ); raw_psk, raw_psk_length );
} }
else else
{ {
@ -4994,6 +4959,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
status = setup_psa_key_derivation( &derivation, status = setup_psa_key_derivation( &derivation,
master_key, alg, master_key, alg,
NULL, 0,
random, rlen, random, rlen,
(unsigned char const *) label, (unsigned char const *) label,
(size_t) strlen( label ), (size_t) strlen( label ),
@ -5298,6 +5264,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
} }
status = setup_psa_key_derivation( &derivation, psk, alg, status = setup_psa_key_derivation( &derivation, psk, alg,
ssl->conf->psk, ssl->conf->psk_len,
seed, seed_len, seed, seed_len,
(unsigned char const *) lbl, (unsigned char const *) lbl,
(size_t) strlen( lbl ), (size_t) strlen( lbl ),

View file

@ -65,10 +65,10 @@ int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 ); return( 1 );
#else #endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL && conf->psk_len != 0 ) if( conf->psk != NULL && conf->psk_len != 0 )
return( 1 ); return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 ); return( 0 );
} }

View file

@ -164,10 +164,10 @@ static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) ) if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 ); return( 1 );
#else #endif /* MBEDTLS_USE_PSA_CRYPTO */
if( conf->psk != NULL && conf->psk_len != 0 ) if( conf->psk != NULL && conf->psk_len != 0 )
return( 1 ); return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
return( 0 ); return( 0 );
} }